About two weeks ago I wrote a post about the security implications of buying a Lenovo, or any other brand of PC, manufactured inside China for the domestic market, following reports that Lenovo was including a government approved encryption module on their system motherboards. While I recommended caution when buying a domestic Chinese computer, I was not particularly concerned about the possibility that machines manufactured for the foreign market would be so compromised.
Well, it turns out that the US Congress is a little bit more suspicious of China than I am. (Gee, who would have thought?) The New York Times today is reporting that a number of Congressmembers from both parties are in an uproar over an announcement that Chinese-owned Lenovo computers has won a bid to supply 15,000 machines to the US State Department.
The critics warn that the deal could help China spy on American embassies and American intelligence-gathering activities, using hardware and software planted in the computers.
“The opportunities for intelligence gains by the Chinese are phenomenal,” said Michael R. Wessel, a member of the United States-China Economic and Security Review Commission, which was created by Congress to monitor and report on the bilateral relationship. Larry M. Wortzel, the commission’s chairman, said in an interview two weeks ago that while he would not be concerned if Airbus moved an aircraft production line to China, he would be worried if Lenovo ever started to sell computers to American government agencies involved in foreign affairs. Responding on Thursday to the Lenovo deal, he predicted that, “Members of Congress, I think, will react very strongly when they see a deal like this come through.”
The opposition seems to be a combination of misguided economic nationalism, mixed with a vague but real appreciation of possible security concerns. Surprisingly, this article does not mention the security chip Lenovo has been installing on their domestic models. Now, it would of course be trivial to see whether nor not that chip is installed on the machines being purchased by the State Department, but doing a full-blown security audit would probably be enough trouble so that it would become more economical to just go to the next lowest bidder instead.
The real question is this: are the possibly security concerns serious enough to justify the panic? Supporters of the deal point out that the computers will be used only for unclassified work, but honestly that shouldn’t do anything to relieve you. Most of the government’s paperwork is unclassified, but still not public-think of things like personnel records and so on that would be of great usefulness as intelligence.
Now, how possible is it that Lenovo could build a back door into the systems, that routine security procedurs (and let’s assume, perhaps incorrectly, that the government follows correct security procedure) would not stop? The security chip mentioned in my earlier post would probably not be used for encryption, in favor of a standard software solution. There could be some sort of back door hidden in the BIOS, but on modern operating systems, the BIOS code is no longer running once the OS starts. (Note, EFI is a whole other kettle of worms, but let’s not get into that now.) And I would hope that standard procedure is to do a clean install of all software of of a disk image file prepared by government IT personnel, so as to make sure that all security settings are correct, and there is no possibility of a disk resident trojan.
What is the final conclusion? I don’t have a firm answer, not having nearly enough information or time to analyze it, but I would be interested to hear other thoughts on the matter.